# Copyright (C) 2019 Ian Kelling
# SPDX-License-Identifier: AGPL-3.0-or-later
+# todo: max line length macro changed in t11. look into it
+# todo: check that all macros we use are still valid in t11
# todo: setup an alert for bouncing test emails.
i /etc/systemd/system/clamav-daemon.service.d/fix.conf <<EOF
[Service]
-ExecStartPre=-/bin/mkdir /var/run/clamav
+ExecStartPre=-/bin/mkdir -p /var/run/clamav
ExecStartPre=/bin/chown clamav /var/run/clamav
EOF
# old.
#vpnser=mailvpn.service
-# todo: this hangs if it cant resolv the endpoint. we
-# want it to just retry in the background.
+# note: this hangs if it cant resolv the endpoint. we
+# want it to just retry in the background. i just use a static ip instead.
+#
+# Note: at least on t10, on reboot, the service fails to come up according to systemd, but
+# in reality it is up and working, then it tries to restart infinitely, and fails
+# because it detects that the interface exists.
+#
+# failing output:
+#
+# Aug 02 21:59:27 sy wg-quick[2092]: [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
+# Aug 02 21:59:27 sy wg-quick[2248]: [#] iptables-restore -n
+# Aug 02 21:59:27 sy wg-quick[2249]: Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
+# Aug 02 21:59:27 sy wg-quick[2259]: [#] iptables-restore -n
+# Aug 02 21:59:27 sy wg-quick[2260]: Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
+# Aug 02 21:59:27 sy systemd[1]: wg-quick@wgmail.service: Main process exited, code=exited, status=4/NOPERMISSION
+
+
+# successful output.
+# Aug 03 14:12:47 sy wg-quick[711336]: [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
+# Aug 03 14:12:47 sy wg-quick[711384]: [#] iptables-restore -n
+# Aug 03 14:12:47 sy wg-quick[711336]: [#] ping -w10 -c1 10.8.0.1 ||:
+# Aug 03 14:12:47 sy wg-quick[711389]: PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
+# Aug 03 14:12:47 sy wg-quick[711389]: 64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=73.0 ms
+# Aug 03 14:12:47 sy wg-quick[711389]: --- 10.8.0.1 ping statistics ---
+# Aug 03 14:12:47 sy wg-quick[711389]: 1 packets transmitted, 1 received, 0% packet loss, time 0ms
+# Aug 03 14:12:47 sy wg-quick[711389]: rtt min/avg/max/mdev = 72.993/72.993/72.993/0.000 ms
+# Aug 03 14:12:47 sy systemd[1]: Finished WireGuard via wg-quick(8) for wgmail.
+# Aug 02 21:59:27 sy systemd[1]: wg-quick@wgmail.service: Failed with result 'exit-code'.
+# Aug 02 21:59:27 sy systemd[1]: Failed to start WireGuard via wg-quick(8) for wgmail.
+# Aug 02 21:59:47 sy systemd[1]: wg-quick@wgmail.service: Scheduled restart job, restart counter is at 1.
+# Aug 02 21:59:47 sy systemd[1]: Stopped WireGuard via wg-quick(8) for wgmail.
+# Aug 02 21:59:47 sy systemd[1]: Starting WireGuard via wg-quick(8) for wgmail...
+# Aug 02 21:59:47 sy wg-quick[3424]: wg-quick: `wgmail' already exists
+# Aug 02 21:59:47 sy systemd[1]: wg-quick@wgmail.service: Main process exited, code=exited, status=1/FAILURE
+# Aug 02 21:59:47 sy systemd[1]: wg-quick@wgmail.service: Failed with result 'exit-code'.
+# Aug 02 21:59:47 sy systemd[1]: Failed to start WireGuard via wg-quick(8) for wgmail.
+
+
+# According to iptables -S and iptables -t nat -S,
+# there are no modifications to iptables rules on a succsfull run,
+# and
+
vpnser=wg-quick@wgmail.service
case $HOSTNAME in
;;
esac
+# * wghole (another mail vpn)
+
+if $bhost_t; then
+ i /etc/systemd/system/wg-quick@wghole.service.d/override.conf <<'EOF'
+[Unit]
+StartLimitIntervalSec=0
+
+[Service]
+Restart=on-failure
+RestartSec=20
+EOF
+fi
+
# * spamassassin config
i /etc/sysctl.d/80-iank-mail.conf <<'EOF'
# see exim spec
# * Update mail cert
-if [[ -e /p/c/filesystem ]]; then
- # note, man openvpn implies we could just call mail-route on vpn startup/shutdown with
- # systemd, buuut it can remake the tun device unexpectedly, i got this in the log
- # after my internet was down for a bit:
- # NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
- m /a/exe/vpn-mk-client-cert -b mailclient -n mail li.iankelling.org
-fi
+
+
+## needed only for openvpn mail vpn.
+# if [[ -e /p/c/filesystem ]]; then
+# # note, man openvpn implies we could just call mail-route on vpn startup/shutdown with
+# # systemd, buuut it can remake the tun device unexpectedly, i got this in the log
+# # after my internet was down for a bit:
+# # NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
+# m /a/exe/vpn-mk-client-cert -b mailclient -n mail li.iankelling.org
+# fi
# With openvpn, I didn't get around to persisting the openvpn
# cert/configs into /p/c/machine_specific/bk, so I had this case to
MAIN_TRUSTED_GROUPS = $u
EOF
+cd /etc/exim4
+{
+ for f in *-private.pem; do
+ echo ${f%-private.pem}
+ done
+} | i /etc/exim4/conf.d/my-dkim-domains
+
+cat >/etc/exim4/conf.d/transport/11_iank <<'EOF'
+# This unsets the default macro defined in on t11 in
+# /etc/exim4/conf.d/transport/10_exim4-config_transport-macros
+# It seems like a very odd choice that this has become
+# the default in t11. Normal smarthost clients use username/password
+# auth. Oh well.
+REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS ==
+EOF
+
cat >/etc/exim4/conf.d/main/000_local <<'EOF'
MAIN_TLS_ENABLE = true
DKIM_CANON = relaxed
DKIM_SELECTOR = li
-# from comments in
+# From comments in
# https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4
# and its best for this to align https://tools.ietf.org/html/rfc7489#page-8
# There could be some circumstance when the
# from: isnt our domain, but the envelope sender is
# and so still want to sign, but I cant think of any case.
-DKIM_DOMAIN = ${lc:${domain:$rh_from:}}
+#DKIM_DOMAIN = ${lc:${domain:$rh_from:}}
+# In t11, we cant do the above anymore because this is tainted data used in a file lookup.
+# /usr/share/doc/exim4/NEWS.Debian.gz suggests to use lookups to untaint data.
+DKIM_DOMAIN = ${lookup {${domain:$rh_from:}}lsearch,ret=key{/etc/exim4/conf.d/my-dkim-domains}}
+
# The file is based on the outgoing domain-name in the from-header.
# sign if key exists
DKIM_PRIVATE_KEY = ${if exists{/etc/exim4/${dkim_domain}-private.pem} {/etc/exim4/${dkim_domain}-private.pem}}
remote_smtp_vpn:
debug_print = "T: remote_smtp_vpn for $local_part@$domain"
driver = smtp
-.ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT
- message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
-.endif
.ifdef REMOTE_SMTP_HOSTS_AVOID_TLS
hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS
.endif
debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
driver = smtp
multi_domain
-.ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT
- message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
-.endif
hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \
{\
${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\
# i use epanic-clean for alerting if there are bad paniclog entries
E4BCD_WATCH_PANICLOG='no'
EOF
+ # make exim be a nonroot setuid program.
chown Debian-exim:Debian-exim /usr/sbin/exim4
# needs guid set in order to become Debian-exim
chmod g+s,u+s /usr/sbin/exim4
+ # need this to avoid error on service reload:
+ # 2022-08-07 18:44:34.005 [892491] pid 892491: SIGHUP received: re-exec daemon
+ # 2022-08-07 18:44:34.036 [892491] cwd=/var/spool/exim4 5 args: /usr/sbin/exim4 -bd -q30m -C /etc/exim4/my.conf
+ # 2022-08-07 18:44:34.043 [892491] socket bind() to port 25 for address (any IPv6) failed: Permission denied: waiting 30s before trying again (9 more tries)
+ # note: the daemon gives up and dies after retrying those 9 times.
+ # I came upon this by guessing and trial and error.
+ setcap CAP_NET_BIND_SERVICE+ei /usr/sbin/exim4
i /etc/exim4/trusted_configs <<'EOF'
/etc/exim4/my.conf
EOF
# this whole setting doesnt work. tried it with a newer systemd 250 though
# an nspawn, and it worked there.
InaccessiblePaths=${dirs[@]}
-NoNewPrivileges=yes
+# this gives us the permission denied error:
+# socket bind() to port 25 for address (any IPv6) failed: Permission denied
+# but we also have to set the file capabilities to avoid the error.
+#NoNewPrivileges=yes
ProtectSystem=yes
# when we get newer systemd
backup_remote:
driver = smtp
multi_domain
-.ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT
- message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
+.ifdef IGNORE_SMTP_LINE_LENGTH_LIMIT
+ message_linelength_limit = 1000000
.endif
hosts_require_auth = *
hosts_try_auth = *
echo | /a/exe/cedit nn /etc/hosts || [[ $? == 1 ]]
echo | /a/exe/cedit mail /etc/dnsmasq-servers.conf || [[ $? == 1 ]]
-
+ # note: condition duplicated at else
if $bhost_t; then
install -d /bu
install -d -g Debian-exim -o Debian-exim -m 771 /bu/md
RestartSec=20
EOF
- else
+ else # if $bhost_t; then
cat >>/etc/exim4/update-exim4.conf.conf <<EOF
# Note: If theres like a temporary problem where mail gets sent to
# one of these hosts, if exim isnt listening, it will be a temporary error
case $HOSTNAME in
$MAIL_HOST|bk)
# config for the non-nn exim
- m rsync -ra --delete /etc/exim4/ /etc/myexim4
- cat >>/etc/myexim4/conf.d/main/000_local-nn <<'EOF'
+ m rsync -ra --delete --delete-excluded --exclude=/conf.d/main/000_local-nn /etc/exim4/ /etc/myexim4
+ cat >>/etc/myexim4/conf.d/main/000_local <<'EOF'
# this makes it easier to see which exim is doing what
log_file_path = /var/log/exim4/my%s
EOF
+
+
cat >/etc/logrotate.d/myexim <<'EOF'
/var/log/exim4/mymain /var/log/exim4/myreject {
daily
m systemctl daemon-reload
fi
+# checking bhost_t is redundant, but could help us catch errors.
+if $bhost_t || [[ -e /etc/wireguard/wghole.conf ]]; then
+ # todo: in mail-setup, we have a static list of backup hosts, not *y
+ m systemctl --now enable wg-quick@wghole
+fi
+
sysd-prom-fail-install epanicclean
m systemctl --now enable epanicclean